b" Audit of NARA\xe2\x80\x99s Internal\n    Control Program\n\n\nOIG Audit Report No. 13-01\n\n\n\n   December 10, 2012\n\x0cTable of Contents\n\n\nExecutive Summary ........................................................................................ 3\n\nBackground ..................................................................................................... 4\n\nObjectives, Scope, Methodology .................................................................... 6\n\nAudit Results................................................................................................... 7\n\nAppendix A \xe2\x80\x93 Status of Prior Recommendations ......................................... 15\n\nAppendix B \xe2\x80\x93 Acronyms and Abbreviations ................................................ 16\n\nAppendix C \xe2\x80\x93 Management\xe2\x80\x99s Response to the Report ................................. 17\n\nAppendix D \xe2\x80\x93 Report Distribution List ........................................................ 18\n\x0c                                                                     OIG Audit Report No. 13-01\n\n\nExecutive Summary\n\nThe National Archives and Records Administration (NARA) Office of Inspector General\n(OIG) performed an audit of NARA\xe2\x80\x99s Internal Control Program (ICP). The Federal\nManagers\xe2\x80\x99 Financial Integrity Act (FMFIA) as well as the Office of Management and\nBudget\xe2\x80\x99s (OMB) Circular A-123, Management\xe2\x80\x99s Responsibility of Internal Control\n(Circular A-123), provide guidance for implementation of an ICP. These materials\nrequire agency heads to conduct ongoing reviews of controls and to annually evaluate\nand report on the systems of internal accounting and administrative control. The purpose\nof this audit was to evaluate (1) NARA\xe2\x80\x99s compliance with guidance contained in FMFIA\nand Circular A-123, and the adequacy of the agency\xe2\x80\x99s assurance statement, (2) NARA\xe2\x80\x99s\nprogress towards development of a formalized and comprehensive ICP, and (3) the status\nof open recommendations made in prior year reports.\n\nOur initial assessment of the agency\xe2\x80\x99s FY 2011 assurance statement, as conveyed in our\nOctober 14, 2011 memorandum, was NARA\xe2\x80\x99s statement underreported material risk\nassociated with Electronic Records Management. The agency has consistently\nunderreported material risks over the past five years for programs including Preservation\nand Processing and has not accurately reflected the breadth of risks in NARA\xe2\x80\x99s\nInformation Security Program. Without an effective ICP, the Archivist of the United\nStates\xe2\x80\x99 (AOTUS) annual assurance statement to the President and the Congress may not\nclearly reflect NARA\xe2\x80\x99s current internal control environment, including risks.\n\nDespite concurring with recommendations from prior reports issued by NARA\xe2\x80\x99s OIG and\nthe Government Accountability Office (GAO) regarding an ICP 1, NARA has yet to fully\nestablish the program. Management has not implemented an ICP because of the (1)\ncomplex nature of the program and lack of understanding of the benefits of the ICP, (2)\nlack of attention to the ICP, and (3) lack of resources provided for the successful\nimplementation of the program. NARA has also not implemented five of the\nrecommendations identified in prior OIG reports on the ICP. 2 By not implementing the\nprogram, NARA is vulnerable to a variety of risks that may not be foreseen or mitigated\nand is not able to self-identify and appropriately manage significant weaknesses such as\nthose identified in prior and current audits performed by the OIG. Additionally, NARA\nis not able to take advantage of the benefits that come with establishment of a well\ndefined and developed program such as (1) improved decision making, (2) risk\nidentification, management, and mitigation (3) opportunities for process improvement,\n(4) effective use of budgeted resources, and (5) strategic planning.\n\nWe are making one recommendation which we believe, once implemented, will address\nweaknesses cited in this review.\n\n1\n  Identified as enterprisewide risk management in GAO\xe2\x80\x99s Report, National Archives and Records\nAdministration: Oversight and Management Improvements Initiated, but More Action Needed\n(GAO-11-15).\n2\n  Recommendations from OIG 09-14 and OIG 10-19 have not been implemented by the agency.\n                                           Page 3\n                        National Archives and Records Administration\n\x0c                                                             OIG Audit Report No. 13-01\n\n\nBackground\n\nThe Federal Managers\xe2\x80\x99 Financial Integrity Act (FMFIA), Public Law 97-255, requires\neach agency to establish controls that reasonably ensure: (1) obligations and costs comply\nwith applicable law, (2) assets are safeguarded against waste, loss, unauthorized use or\nmisappropriation, and (3) revenues and expenditures are properly recorded and accounted\nfor. In addition, the agency head must annually evaluate and report on the systems of\ninternal accounting and administrative control.\n\nThe Office of Management and Budget (OMB) Circular A-123, Management\xe2\x80\x99s\nResponsibility for Internal Control (Circular A-123), defines management\xe2\x80\x99s\nresponsibility for internal control in Federal agencies. It provides guidance to Federal\nmanagers on improving the accountability and effectiveness of Federal programs and\noperations by establishing, assessing, correcting, and reporting on internal control. OMB\nrevised Circular A-123 in response to the Sarbanes-Oxley Act, effective in fiscal year\n2006. This revision strengthened the requirements for management\xe2\x80\x99s assessment of\ninternal control over financial reporting. The new requirements apply only to the 24\nChief Financial Officer Act agencies, thus exempting NARA from reporting pursuant to\nSection 4 of the FMFIA. However, NARA is still required to report on internal controls\npursuant to Section 2 of FMFIA.\n\nNARA Directive 114, Management Controls, establishes policy for improving\naccountability and effectiveness of NARA programs and operations by establishing,\nassessing, correcting, and reporting on management controls. NARA 114 defines\nresponsibilities; defines the types of reviews that could be considered internal control\nassessments; identifies documentation that must be maintained in support of an internal\ncontrol evaluation, and addresses the development and maintenance of management\ncontrol plans. Among the responsibilities defined by this guidance, Office Heads are\nrequired to identify and analyze risk, and the Performance and Accountability Office\n(CP) is required to provide oversight, guidance, and assistance to NARA offices\nconcerning implementation of the NARA internal control program.\n\nInterim Guidance NARA 160-1 describes FY 2012 requirements for reporting to the\nArchivist on internal controls. This reporting must include the status of control\nmonitoring and testing activities, the status of recommendations resulting from audits,\nmanagement reviews, and contractor assessments; and information pertaining to risks\n(such as current, or potential Material Weaknesses, Significant Deficiencies, or Control\nDeficiencies).\n\nAssurance statements and information relating to FMFIA Section 2, Section 4 (from\nwhich NARA is exempt), and internal control over financial reporting should be provided\nin a single FMFIA report section of the annual Performance and Accountability Report\n(PAR) labeled \xe2\x80\x9cManagement Assurances.\xe2\x80\x9d The section should include the annual\nassurance statement, summary of material weaknesses and non-conformances, and\n                                        Page 4\n                     National Archives and Records Administration\n\x0c                                                             OIG Audit Report No. 13-01\n\n\nsummary of corrective action plans. Furthermore, FMFIA requires the Archivist to\nannually submit to the President and Congress (1) a statement on whether there is\nreasonable assurance that the agency\xe2\x80\x99s controls are achieving their intended objectives,\nand (2) a report on material weaknesses in the agency\xe2\x80\x99s controls.\n\n\n\n\n                                        Page 5\n                     National Archives and Records Administration\n\x0c                                                                         OIG Audit Report No. 13-01\n\n\nObjectives, Scope, Methodology\n\nThe objectives of the audit were to evaluate (1) NARA\xe2\x80\x99s compliance with guidance\ncontained in FMFIA and Circular A-123, and the adequacy of the agency\xe2\x80\x99s assurance\nstatement, (2) NARA\xe2\x80\x99s progress towards development of a formalized and\ncomprehensive Internal Control Program (ICP), and (3) the status of open\nrecommendations made in prior year reports. Specifically, we (1) conducted interviews\nwith appropriate personnel associated with development of NARA\xe2\x80\x99s ICP and (2)\nreviewed the status of open recommendations made in prior year reports. Also, to\nfacilitate the submission of NARA\xe2\x80\x99s annual assurance statement, we performed a\npreliminary review of the assurance statement in October 2011.\n\nThis audit was conducted in accordance with generally accepted government auditing\nstandards between October 2011 and September 2012. 3 These standards require we plan\nand perform the audit to obtain sufficient, appropriate evidence to provide a reasonable\nbasis for our findings and conclusions based on our audit objectives. We believe the\nevidence obtained provides a reasonable basis for our findings and conclusions based on\nour audit objectives.\n\n\n\n\n3\n The audit was delayed due to OIG staffing shortages. The auditor originally assigned this audit left the\nagency and the audit was on hold until it was reassigned.\n                                            Page 6\n                         National Archives and Records Administration\n\x0c                                                                        OIG Audit Report No. 13-01\n\n\nAudit Results\n\n1. NARA has yet to establish an Internal Control Program.\nAlthough Senior Management agreed to formalize NARA\xe2\x80\x99s ICP in 2010, the program has\nyet to be developed and fully implemented. This condition exists because management\nhas not made the program a priority, nor provided adequate resources to establish the\nprogram. As a result, the lack of an ICP (1) leaves the agency vulnerable to a variety of\nrisks that may not be foreseen or mitigated and (2) does not allow the agency to self-\nidentify and appropriately manage or mitigate significant weaknesses such as those\nidentified in the Audit of the Management of Records at the Washington National\nRecords Center (WNRC) (OIG 12-02 and 12-05) and NARA\xe2\x80\x99s Network Discovery and\nAssessment Audit (OIG 12-11). 4 Also, without the program, the Archivist of the United\nStates\xe2\x80\x99 (AOTUS) annual assurance statement to the President and the Congress may not\nclearly reflect NARA\xe2\x80\x99s current internal control environment. An ICP (1) will provide\nmore effective leadership, strategic direction, and accountability in fulfilling NARA\xe2\x80\x99s\nmission, meeting objectives, and establishing clear lines of responsibility for results, (2)\nensures adequate controls are in place to provide reasonable assurance that program\nactivities are operating efficiently and effectively; reliable and timely information is\nobtained, maintained, recorded, reported, and used for decision-making; assets are\nsafeguarded, and that programs are managed with integrity and in compliance with\napplicable laws and regulations, and (3) enables NARA to better prevent, detect, and\nmitigate instances of waste, fraud, abuse, and mismanagement.\n\nAccording to Circular A-123, management is responsible for establishing and\nmaintaining internal control to achieve the objectives of effective and efficient\noperations, reliable financial reporting, and compliance with applicable laws and\nregulations. Additionally, the Government Accountability Office (GAO) \xe2\x80\x9cStandards for\nInternal Control in the Federal Government\xe2\x80\x9d provides the underlying rationale for an\nICP. The Standards state, \xe2\x80\x9cA key factor in helping achieve better ways to achieve\nagencies\xe2\x80\x99 missions and program results is to implement appropriate internal controls.\nEffective internal controls also help in managing change to cope with shifting\nenvironments and evolving demands and priorities.\xe2\x80\x9d\n\n\n\n\n4\n  Audit Reports OIG 12-02 and 12-05 disclosed management controls were either missing, ineffective or\ninadequate to appropriately safeguard, secure, manage and handle records at WNRC. OIG 12-11 identified\na lack of strategic planning with regard to the redundancy and resiliency and overall design of NARA\xe2\x80\x99s\nnetwork. Internal control reviews, including risk assessments, prior to these audits could have identified\nsome of the significant deficiencies identified in the OIG reports.\n                                            Page 7\n                         National Archives and Records Administration\n\x0c                                                              OIG Audit Report No. 13-01\n\n\nPrior Reports on NARA\xe2\x80\x99s lack of an Internal Control Program\nIn 2008, the OIG conducted an Evaluation of NARA\xe2\x80\x99s Management Control Program\n(OIG 08-06). We identified weaknesses which were the result of the lack of familiarity\nwith NARA 114, Management Controls, an incomplete understanding of internal\ncontrols, and management control plans which were improperly or too narrowly scoped.\nThe 2009 report, Evaluation of NARA\xe2\x80\x99s FY2008 Management Control Program (OIG 09-\n14), revealed at the end of the FMFIA reporting period, September 30, 2009, (1)\nmanagement had not yet completed action to close recommendations contained in the\nprior year\xe2\x80\x99s audit report; and (2) two program offices did not adequately monitor internal\ncontrols. Our last audit in 2010, Audit of NARA\xe2\x80\x99s Internal Control Program (OIG 10-\n19), found NARA (1) had not implemented any of the prior year recommendations, (2)\nhad not fully complied with the requirements of Circular A-123 as there was no\nformalized ICP, and (3) would not be in full compliance with Circular A-123 until it\nidentified critical functions, control and monitoring activities, and developed a formal\nrisk management process.\n\nAfter issuance of the OIG\xe2\x80\x99s report in 2010, GAO reported similar concerns regarding an\nICP. GAO\xe2\x80\x99s report, National Archives and Records Administration: Oversight and\nManagement Improvements Initiated, but More Action Needed (GAO-11-15), identified\nNARA had not established an enterprise risk management (ERM) capability, reducing its\nability to anticipate future challenges and avoid potential crises. GAO recommended the\nAOTUS develop and assign responsibility and resources for an enterprisewide risk\nmanagement capability that allows it to monitor its internal and external environments\ncontinuously and systematically to ensure NARA\xe2\x80\x99s senior staff and decision makers can\nappropriately and quickly assess threats and vulnerabilities stemming from enterprise\nrisks. As stated in the GAO report, without an effective program of risk assessment and\ninternal control, management may have less assurance that it is using organizational\nresources effectively and efficiently, or that agency assets and operations are protected.\nThe report further noted as called for by the Standards for Internal Control in the Federal\nGovernment, agencies should continuously and systematically monitor their internal and\nexternal environments to anticipate future challenges and avoid potential crises.\n\nNARA\xe2\x80\x99s management concurred with all of the recommendations in the prior OIG\nreports on Internal Control. Specifically, for the 2010 report, they agreed to formalize the\nICP to include the five standards for internal control: (1) control environment, (2) risk\nassessment, (3) control activities, (4) information and communication, and (5)\nmonitoring. The Action Plan for the report indicated a completion date of May 2011 for\nthe ICP. In response to the report from GAO, NARA committed to roll out an enterprise-\nwide internal controls program that uses risk assessment as an integral part of managing\nand monitoring internal controls, (2) embed an awareness of risk factors throughout the\norganization as part of an ongoing, repetitive process, and (3) assign a NARA Risk\nOfficer to manage the process, who will raise risks identified to the Leadership Guidance\nTeam (LGT) or similar executive leadership group.\n\n\n\n                                         Page 8\n                      National Archives and Records Administration\n\x0c                                                                      OIG Audit Report No. 13-01\n\n\nPerformance and Accountability Office and the Internal Control Program Project Plan\nSince issuance of the last OIG and GAO reports, NARA has made minimal progress\ntowards establishing an ICP. NARA\xe2\x80\x99s internal control practices have fallen behind as\nthey have not kept pace with government issued directives and other federal agencies.\nSpecifically, while CP has taken actions to improve NARA\xe2\x80\x99s ICP, actions to fully\nimplement recommendations from the prior OIG and GAO reports are needed (see\nAppendix A \xe2\x80\x93 Status of Prior Recommendations), including development and full\nimplementation of the ICP. CP\xe2\x80\x99s Management Control Liaison stated the other\nremaining open recommendations will be resolved upon the revision of NARA 114,\nManagement Controls, which cannot be completely revised until NARA\xe2\x80\x99s formal ICP is\nfully developed.\n\nIn 2010, CP developed a project plan to address the areas in which NARA was not\ncompliant with Circular A-123. Although the plan was revised in 2012 (See Table 1 \xe2\x80\x93\nStatus of ICP Project Plan), it does not clearly outline all of the key activities required for\nthe ICP to be compliant with Circular A-123 and fully operational.\n\nThe current approach for implementing the ICP is to roll out the program at one time for\nall programs and functions within the agency, which could be a potential problem.\nAccording to McKinsey & Company\xe2\x80\x99s report, Strengthening Risk Management in the US\nPublic Sector, government agencies should roll out new risk-management approaches\none process or area at a time. There are several advantages to this approach including,\n(1) convincing the broader enterprise that risk management need not be a bottleneck and\ncan be a source for positive improvement and (2) early efforts to improve risk\nmanagement will lead to lessons that can be applied in subsequent efforts.\n\nIn August 2012 our review of the project plan indicated many of the activities have not\nbeen completed or started. Some are scheduled for completion by the end of FY 2012,\nincluding identifying existing programs and functions; and developing criteria to\ndetermine criticality and risk of functions. The Director of CP indicated the remaining\nactivities will be completed over a three year span with the ICP fully implemented by the\nend of FY 2015 5, but agency officials have not been involved in the process to formally\nacknowledge this plan.\n\n\n\n\n5\n Based on review the ICP will only be fully implemented by the end of FY 2015 if departmental and\nadditional CP resources are available.\n                                           Page 9\n                        National Archives and Records Administration\n\x0c                                                                            OIG Audit Report No. 13-01\n\n\nTable 1: Status of Internal Control Program Project Plan (provided by CP)\n                                                                     Expected Date          Status as of\n                              Task\n                                                                     of Completion        September 2012\nPopulate ICP database with Program, Program Owner,\n                                                                      Complete by\nFunction, Function Owner, Open Recommendations and                                           Complete\n                                                                      July 31, 2012\nPerformance Measures for each office\nDevelop criteria/questions for determining criticality (high or       Complete by\n                                                                                             Complete 6\nlow) and risk (high/med/low) for each function                        July 31, 2012\nVet populated database with offices \xe2\x80\x93 ask for program and\nfunction owner names where missing, ask for offices to               September 2012          Complete 5\nreview program and function alignment one last time\nOffices use criteria/questions to rank the criticality and risk of\n                                                                     September 2012         In Progress\neach function\nProcesses, SOPs/IOPs, and Key Performance Indicators (KPI)           Starts October 1,\ninternal to each office are added to the ICP database (making         2012 (ongoing         In Progress -\nit more comprehensive and robust) on the basis of function            throughout FY           Ongoing\ncriticality and risk                                                       2013)\nAssurance Statement/Internal Control Reporting to be based           Starts October 1,\non and reflective of each offices Program and Function                2012 (ongoing\n                                                                                              Ongoing\nhierarchy. Consistently structured reporting from quarter to          throughout FY\nquarter and year to year                                                   2013)\nFY13 Internal Control Test Plan developed around high                 Tests plans for         Test to be\ncriticality, high risk functions                                         FY 2013         developed based on\n                                                                       developed by         results of risk\n                                                                     October 31, 2012      questionnaires\n\nThe approach outlined by CP for implementing the ICP will result in a sufficient\nprogram; however it cannot be brought to fruition unless there is more management\ninvolvement and additional resources provided. Many of the tasks included in the project\nplan have not been completed because of the (1) complex nature of the program and\nmanagement\xe2\x80\x99s lack of understanding of the importance of an ICP, (2) lack of attention\nand commitment by Senior Management, and (3) lack of resources provided for the\nsuccessful implementation of the program.\n\nComplex nature of the program and lack of understanding\nImplementing an ICP is a difficult challenge because most NARA stakeholders (i.e.\nSenior Management, Program Owners, and Function Owners) do not have a basic\nunderstanding of (1) risk management principles, (2) the purpose of the ICP, and (3) the\nbenefits to the agency of a risk management approach. As a result, managers do not\nadequately or consistently monitor controls associated with their programs or understand\nthe risks to their programs and how to mitigate those risks. It will remain a challenge\nunless management communicates its commitment to the program and provides training\nto all stakeholders involved in the process. Currently, there is a lack of communication\n(e.g. Risk Management Policy) (1) of NARA\xe2\x80\x99s commitment to risk management and (2)\nto define key principles, roles, responsibilities processes, and common terminology.\n\n6\n  The tasks for Information Services need to be redone due to the recent organizational restructure and\nrewrite of NARA 101. Additionally, the Office of Innovation needs to be completed because it was only\nrecently established and functional statements have not been finalized.\n\n                                              Page 10\n                           National Archives and Records Administration\n\x0c                                                            OIG Audit Report No. 13-01\n\n\nAccording to a report by the IBM Center for The Business of Government, Managing\nRisk in Government: An Introduction to Enterprise Risk Management, \xe2\x80\x9ceducating a\nworkforce unfamiliar with enterprise risk management terminology and concepts is a key\nissue for leading enterprise risk management activities.\xe2\x80\x9d While CP recognizes the need, a\ntraining plan has not been developed or fully implemented. An effective training and\neducation plan to equip NARA\xe2\x80\x99s stakeholders with the knowledge and information\nneeded will not only apply risk management to their day-to-day jobs, but will help\nchampion NARA\xe2\x80\x99s effort to develop a formalized risk-based ICP.\n\nLack of attention and commitment\nWhen CP originally started working on the ICP there were competing priorities,\nincluding the Transformation effort, which the one staff person from CP was originally\ninvolved in along with NARA\xe2\x80\x99s Management Team. In order to have a successful ICP,\nNARA\xe2\x80\x99s Management Team can no longer overlook the program as more input and\noversight is required. As noted in the Business Transformation Plan (issued May 29,\n2011), NARA committed to establishing an ERM capability and a Risk Officer to analyze\nand manage risks and opportunities. NARA has yet to identify a Risk Officer, but in\nresponse to GAO\xe2\x80\x99s recommendation, in 2011 NARA established the Management\nControl Oversight Council (MCOC). The MCOC is comprised of all members of\nNARA\xe2\x80\x99s Management Team, with the Chief Operating Officer (COO) serving as the\nchair. Although the MCOC was created to provide leadership and oversight necessary\nfor effective implementation of NARA\xe2\x80\x99s ICP, they have not met their purpose. Since the\ncreation of the MCOC, the quarterly meetings solely focused on reviewing action plans\nfor the agency\xe2\x80\x99s material weaknesses and risks for FMFIA reporting purposes. Based on\nour review of the minutes from the meetings, (1) CP is not actively involved in the\nmeetings to discuss the ICP, (2) no new weaknesses or risks have been identified, and (3)\nno directives have been issued regarding implementation of the ICP.\n\nThe COO indicated Senior Management is very committed to seeing the ICP developed.\nHe also stated he (1) sees the ICP as an opportunity for NARA managers to take\nownership of problems, (2) would like to avoid the identification of material weaknesses\nonly by the OIG, and (3) would like to see managers identify problems earlier. He is\nhopeful the ICP planned by CP will assist in the process. Based on the current internal\ncontrol environment, the outcomes the COO would like to see from an ICP would most\nlikely not be possible. Until Senior Management formally acknowledges and puts in\nplace the necessary resources, the program will continue to under deliver. Additionally,\nabsent of having an ICP, audits performed by the OIG or oversight agencies will continue\nto be the sole source for systematically identifying risks.\n\nThe OIG inquired with Senior Management about (1) how far along NARA was in\nestablishing an ERM capability and (2) what was limiting an ERM capability from being\nimplemented. Management did not provide a definitive answer or specific details as to\nthe state of the ERM and any limitations. Additionally, the OIG inquired about\nidentifying a Risk Officer for the agency. The COO indicated his position will now serve\nas the Risk Officer and NARA 101 will be updated to reflect this change. This decision\ndoes not show management\xe2\x80\x99s commitment to ERM or emphasize the importance of it.\n                                        Page 11\n                     National Archives and Records Administration\n\x0c                                                               OIG Audit Report No. 13-01\n\n\nCurrently, there are eight offices that report to the COO position including (1) Federal\nRegister, (2) Agency Services, (3) Research Services, (4) Information Services, (5)\nBusiness Support Services, (6) Legislative Archives, Presidential Libraries, and Museum\nServices, (7) Corporate Records Management, and (8) CP. According to a McKinsey &\nCompany\xe2\x80\x99s report, Strengthening Risk Management in the US Public Sector, public\nsector institutions should establish a dedicated risk-management organization that resides\nin a prominent place in the organization. The Chief Risk Officer should either be at the\nsame level as the COO or Chief Financial Officer (CFO), or at most one level below. It\nfurther states risk personnel should have deep knowledge of both risk management and\nthe institution\xe2\x80\x99s business. NARA would benefit by selecting an individual that (1) could\ndevote majority of their time to effectively leading the implementation and management\nof an ICP, (2) possesses risk management skills, and (3) possesses the capability to build\na risk-aware culture agency wide.\n\nLack of resources\nBudget resources to hire staff and develop an ICP system have not been made available\nto support the implementation of the ICP. Currently, only one CP employee is assigned\nto implement the ICP. The program is too large and complex for one person to\nimplement the program across the agency. The COO originally indicated to the OIG no\nadditional staffing resources were available, but since then the hiring of one additional\nstaff member has been approved. The ICP for a similar size agency, the Library of\nCongress, is administered in the Library\xe2\x80\x99s Strategic Planning Office of the Chief\nFinancial Officer. The Library has one ICP Administrator and 11 ICP Coordinators,\nwhich are the ICP administrators for every service unit at the Library.\n\nAccording to a McKinsey & Company report, Strengthening Risk Management in the US\nPublic Sector, public sector institutions should push for legislation that requires the\nappointment of a Chief Risk Officer (CRO) and the formation of a risk-management\ndepartment, with specific details about the roles, responsibilities, and qualifications of\nrisk-management staff. The report further stated the risk organization\xe2\x80\x99s structure should\nmirror the agency\xe2\x80\x99s structure, with dedicated risk personnel for each focus area. The\nexact size of the risk organization will vary by agency, but it must at least be large\nenough so that it can dedicate one or two people to each high-priority area. While the\none additional resource will be beneficial to the ICP, program implementation and\nmanagement will continue to be a challenge, and program benefits will be under realized,\nuntil an adequate amount of resources are employed to support the program.\n\nCP was not given the funding to procure software and is now internally developing a\nMicrosoft Access database to support automation of the internal control/risk management\nprogram. The database will not (1) have the capability to adequately support a robust\nICP, (2) append information to support decisions about the criticality of functions,\ninherent and residual risks, and the results of testing and monitoring activities, (3) support\nautomatic notification of events based on a hierarchical structure, and (4) accommodate\nautomated alerts for significant events such as when a new function is added and the\ncriticality of a program/function is changed by this event. New software to support the\nICP (estimated to cost $200,000 initially and $12,000 annually for maintenance) would\n                                         Page 12\n                      National Archives and Records Administration\n\x0c                                                             OIG Audit Report No. 13-01\n\n\n(1) automate the reporting and sharing of information concerning functions, risks,\ncontrols and performance data across the agency and (2) allow for the assignment and\ntracking of risks and recommendations. In our opinion, the cost of the software is\nminimal in comparison to the intangible benefits that would be gained by the agency.\n\nPerformance and Accountability Office and Office of Strategy\nCurrently there are two different offices, CP and Division of Strategy, performing similar\nresponsibilities as it relates to internal controls. According to NARA 101, NARA\nOrganization and Delegation of Authority, CP is delegated the authority to coordinate\nNARA's implementation of OMB Circular A-123, the NARA internal management\ncontrol review system, independent internal testing, enterprise risk management, and the\nFederal Managers' Financial Integrity Act. CP also serves as NARA\xe2\x80\x99s Risk Officer,\noverseeing the agency\xe2\x80\x99s ERM program. The Strategy Division (within the Strategy and\nCommunications Office) is responsible for coordinating and facilitating NARA issues\nmanagement and strategic policy analysis activities as well as engaging NARA staff and\nstakeholders to address the agency's goals, issues and opportunities.\n\nThe Strategy\xe2\x80\x99s Division responsibilities appear to be parallel and in direct conflict with\nthe authority delegated to CP as they are related to the ICP. A part of administering an\nICP is identifying risk, quantifying risk exposure, assigning risk ownership, determining\nmitigation strategy, and tracking and managing mitigation to closure. CP indicated there\nhas been no formal coordination or sharing of information between CP and the Strategy\nDivision regarding risks and issues management. The OIG attempted, but was unable to\ndiscuss the Strategy\xe2\x80\x99s Division role in identifying agency risks for the Strategic Plan and\nwhether there was any overlap with the ICP work performed by CP. The Strategy\nDivision cannot coordinate and facilitate issues management if it is not in communication\nwith the office in charge of implementing the ICP. It is also not beneficial for these two\noffices to be working in silos and not effectively communicating.\n\n\n\n\n                                        Page 13\n                     National Archives and Records Administration\n\x0c                                                             OIG Audit Report No. 13-01\n\n\nRecommendation\n\nThe Archivist of the United States should demonstrate a commitment to the development,\nimplementation, and operation of NARA\xe2\x80\x99s ICP by ensuring:\n\n   a) The MCOC becomes more involved in the decision making and implementation\n      plan for the ICP. Additionally, periodic reports (at least quarterly) must be\n      presented to the MCOC to review the progress of the ICP.\n   b) All risk management activities (identifying controls, risks, tactical risks, issues\n      management, etc.) are coordinated with CP, who is delegated the authority of\n      overseeing the agency\xe2\x80\x99s ERM program.\n   c) Revisions are made to the existing project plan outlining concise, detailed tasks\n      required for full implementation of the ICP (from current status to full\n      implementation).\n   d) Resources are employed to develop and implement the ICP, including but not\n      limited to a Chief Risk Officer, additional employees or contractors, and the\n      purchase of appropriate ICP software.\n   e) Risk management responsibilities are included in the performance plans for\n      program and function owners.\n   f) Prior recommendations from previous OIG and GAO reports are closed.\n   g) A Risk Management Policy is created to communicate NARA\xe2\x80\x99s commitment to\n      enterprise risk management.\n   h) Procedures are documented that clearly document the ICP, including outlining a\n      process for tracking issues and corrective actions identified.\n   i) A training plan is developed that encompasses educating the agency on risks and\n      internal control. Additionally, training is provided to all individuals responsible\n      for executing the ICP, including program owners, function owners, and MCOC\n      members.\n\nManagement Response\n\nManagement concurred with the recommendation.\n\n\n\n\n                                        Page 14\n                     National Archives and Records Administration\n\x0c                                                                       OIG Audit Report No. 13-01\n\n\nAppendix A \xe2\x80\x93 Status of Prior Recommendations\n\nThe chart below identifies audit recommendations from prior OIG and GAO reports\nregarding NARA\xe2\x80\x99s Internal Control Program.\n                                  Recommendation 7                                            Status\nDirector of Policy and Planning should work with offices in general, and\n                                                                                              Partially\nmanagement control liaisons in particular, to: (1) stress the importance of\n                                                                                           implemented\nperforming internal control assessments of critical areas in accordance with\n                                                                                            (only item 3\nmanagement control plans and NARA 114; (2) ensure the results of the\n                                                                                                 is\nassessments are included in the assurance statements, and; (3) revise, as\n                                                                                          implemented)\nnecessary, the lists of \xe2\x80\x9ccritical functions\xe2\x80\x9d to be reviewed. (OIG 09-14)\nAssistant Archivist for Administrative Services should ensure Annual\nInformation Security Self Inspection results are reviewed in a timely manner,\ninstances of non-compliance are identified, and corrective actions are monitored;\nand self inspections are reviewed and documented in accordance with guidance\n                                                                                           Implemented\nconcerning self-assessments contained in NARA 114. If a formal process as\nreferred to by the Information Security Officer cannot be completed in time to\nfacilitate the review of FY 2009 information security self inspections an alternate\nmeans of reviewing the checklists should be developed. (OIG 09-14)\nAOTUS should ensure NARA policy on internal controls (such as NARA 114) is\nrevised to specifically address the process by which findings are evaluated and                Not\ncategorized; criteria used in the decision making process, and; documentation              implemented\nnecessary to support such conclusions. (OIG 09-14)\nAssistant Archivist for Regional Records Services should ensure all program\n                                                                                               Not\nfindings, regardless of whether they are considered major or minor, are tracked to\n                                                                                           implemented\nresolution and supported by adequate documentation. (OIG 09-14)\nAOTUS should demonstrate a commitment to the internal control program by\nestablishing centralized responsibility within NARA\xe2\x80\x99s existing organizational\nstructure or within the proposed Performance & Accountability Office (as                   Implemented\nindicated in the Proposed NARA Organization Report from the Archivist\xe2\x80\x99s Task\nForce on Agency Transformation). (OIG 10-19)\nAOTUS should formalize the Internal Control program to include the five\nstandards for internal control: (1) control environment, (2) risk assessment, (3)              Not\ncontrol activities, (4) information and communication, and (5) monitoring. (OIG            implemented\n10-19)\nAOTUS should consider establishing a Senior Management Council to provide\noversight and additional accountability for the Internal Control Program. (OIG             Implemented\n10-19)\nAOTUS should ensure that NARA\xe2\x80\x99s senior staff and decision makers can\nappropriately and quickly assess threats and vulnerabilities stemming from\n                                                                                               Not\nenterprise risks, develop and assign responsibility and resources for an\n                                                                                           implemented\nenterprisewide risk management capability that allows it to monitor its internal\nand external environments continuously and systematically. (GAO-11-15)\n\n7\n After the Transformation effort in 2011, office names and symbols subsequently changed to reflect the\ncurrent reorganization. However, the previous office names are used in the chart above to reflect the\nhistorical names of the offices recommendations were addressed to in previous audit reports.\n                                            Page 15\n                         National Archives and Records Administration\n\x0c                                                      OIG Audit Report No. 13-01\n\n\nAppendix B \xe2\x80\x93 Acronyms and Abbreviations\n\nAOTUS            Archivist of the United States\nCOO              Chief Operating Officer\nCFO              Chief Financial Officer\nCP               Performance and Accountability Office\nCRO              Chief Risk Officer\nERM              Enterprise Risk Management\nFMFIA            Federal Managers\xe2\x80\x99 Financial Integrity Act\nGAO              Government Accountability Office\nICP              Internal Control Program\nMCOC             Management Control Oversight Council\nNARA             National Archives and Records Administration\nOIG              Office of Inspector General\nOMB              Office of Management and Budget\nPAR              Performance and Accountability Report\nCircular A-123   Circular A-123, Management\xe2\x80\x99s Responsibility for Internal Control\nWNRC             Washington National Records Center\n\n\n\n\n                                    Page 16\n                 National Archives and Records Administration\n\x0c                                                 OIG Audit Report No. 13-01\n\n\nAppendix C \xe2\x80\x93 Management\xe2\x80\x99s Response to the Report\n\n\n\n\n                               Page 17\n            National Archives and Records Administration\n\x0c                                                        OIG Audit Report No. 13-01\n\n\nAppendix D \xe2\x80\x93 Report Distribution List\n\nArchivist of the United States (N)\nDeputy Archivist of the United States (ND)\nChief Operating Officer (C)\nExecutive of Agency Services (A)\nChief Financial Officer (BC)\nDirector, Performance and Accountability (CP)\nManagement Control Liaison, Performance and Accountability (CP)\n\n\n\n\n                                      Page 18\n                   National Archives and Records Administration\n\x0c"